detection.wiki

System Binary Proxy Execution: Mshta T1218.005

Tactic: Stealth

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 8CreateRemoteThread
SysmonEvent ID 11FileCreate
SysmonEvent ID 13RegistryEvent (Value Set)
Security-AuditingEvent ID 4688A new process has been created.
Defender-DeviceEventsClrUnbackedModuleLoadedCLR unbacked module loaded
DotNETRuntimeEvent ID 152ModuleID=ModuleID.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 55 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (39 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name38eq 31, match 3, in 2, regex_match 2, ne 1mshta.exe, cmd.exe, cscript.exe, bginfo.exe, certutil.exe
parent_process_name27eq 20, match 3, in 2, regex_match 2mshta.exe, explorer.exe, (?i)mshta, cmd.exe, cscript.exe
event.type24eq 23, ne 1start, deletion
CommandLine19contains 8, match 3, regex_match 3, is_not_null 2, wildcard 2, ends_with 1, in 1(?i)(http|ftp)s?:\/\/, (?i)mshta, .bat, http://, https://
OriginalFileName17eq 15, in 2mshta.exe, cmd.exe, cscript.exe, msbuild.exe, rundll32.exe
Image12ends_with 8, wildcard 3, starts_with 1\mshta.exe, ?:\users\*\appdata\*.exe, ?:\users\*\downloads\*, \\mshta.exe, \bash.exe
EventID9eq 91, 4688, 11, 4103, 4104
process.args9eq 5, starts_with 3, wildcard 3C:\Intel\, &&, *Reflection.Assembly*, *downloadstring*, *http*
EventType4eq 4start, ClrUnbackedModuleLoaded, creation
ParentImage4ends_with 3, eq 2, starts_with 1\mshta.exe, ?:\program files (x86)\teamcity\jre\bin\java.exe, ?:\program files\teamcity\jre\bin\java.exe, ?:\teamcity\buildagent\jre\bin\java.exe, \cscript.exe
Type3eq 3
ParentCommandLine2contains 1, is_not_null 1, regex_match 1, wildcard 1(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]p..., *extensionHost*, *vscode*extensions*, -encoded , :\perflogs\
TargetFilename2in 2*\\windows\\pla\\reports\\*, *\\windows\\pla\\rules\\*, *\\windows\\pla\\reports\\en-us\\*, *\\windows\\pla\\templates\\*
process.args_count2ge 22
process.parent.args2eq 2--message-loop-type-ui, --service-sandbox-type=none, -Embedding

Top indicator values (548 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
23606
process_nameeq
mshta.exe
2131
process_nameeq
cmd.exe
1577
process_nameeq
powershell.exe
15104
process_nameeq
rundll32.exe
1560
process_nameeq
wscript.exe
1429
process_nameeq
cscript.exe
1225
process_nameeq
pwsh.exe
1062
process_nameeq
regsvr32.exe
1025
process_nameeq
certutil.exe
922
process_nameeq
msiexec.exe
822
process_nameeq
bitsadmin.exe
714
process_nameeq
installutil.exe
718
process_nameeq
schtasks.exe
721
process_nameeq
wmic.exe
747
process_nameeq
cmstp.exe
610
process_nameeq
ieexec.exe
68
process_nameeq
iexpress.exe
68
process_nameeq
microsoft.workflow.compiler.exe
68
process_nameeq
msxsl.exe
69
process_nameeq
regasm.exe
611
process_nameeq
regsvcs.exe
610
process_nameeq
sc.exe
629
process_nameeq
bginfo.exe
56
process_nameeq
cdb.exe
57
process_nameeq
csi.exe
56
process_nameeq
curl.exe
515
OriginalFileNameeq
mshta.exe
822
parent_process_nameeq
mshta.exe
712
parent_process_nameeq
explorer.exe
620

Exclusions (183 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process_nameeq
cmd.exe
5
process_nameeq
rundll32.exe
3
process_nameeq
powershell.exe
2
process_nameeq
regsvr32.exe
2
user.ideq
S-1-5-18
3
process.argseq
-ExecutionPolicy
2
CommandLineeq
"cmd" /c %NETBEANS_MAVEN_COMMAND_LINE%
1
CommandLineeq
?:\Windows\system32\cmd.exe /q /d /s /c "npm.cmd ^"install^"...
1
CommandLineeq
driver\DPInst_x64 /f
1
CommandLinewildcard
"C:\Windows\system32\cmd.exe" /c auditpol.exe /get*
1
CommandLinewildcard
"C:\Windows\system32\cmd.exe" /c auditpol.exe /set /SUBCATEGORY:*
1
CommandLinewildcard
*\HP\HP*HPUDC*
1
CommandLinewildcard
C:\Windows\system32\cmd.exe" /c exit
1
CurrentDirectorywildcard
?:\Users\*\AppData\Local\Temp\BackupBootstrapper\Logs\
1
CurrentDirectorywildcard
?:\Users\*\AppData\Local\Temp\QBTools\
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 8 rules

Elastic 26 rules

Splunk 20 rules

Kusto 1 rule